We created a new instance of Discourse. It has multiple private categories and just one public category while the product we’re working on is in beta.
How do I make sure that for anonymous users there is absolutely no way to list all users through API nor through UI?
The only settings I found that seem relevant are:
Just wanna make 1000% sure I don’t expose the users list in any way. Please advise.
Depends on what you mean exactly by “exposing” users. Any user that posts in the public category will be public, and then it depends on what percentage of your users will interact in that specific category.
I mean for an anonymous user to reveal the list of users. Like e.g. listing all users through API, or seeing the list in “Top Users”, or through Search function, or in any other way that I’m unaware of.
Users can still be listed via the API unless you site isn’t public, aka, login required is enabled.
Is this correct behaviour provided I disabled the users directory?
Also, when you’re saying the list will still be exposed via API, do you mean to all anonymous users?
That setting objective, AFAIK, is only to remove the user leaderboard.
Yes.
Would it be possible to make it into a feature request? A way to make it impossible to list all users while having some public categories?
Is that because it’s considered futile to hide that data if stuff is understandably exposed in unpredictable amounts from public topic lists in any case?
In our particular case, there is a group of people working on something, and only small part of the group contribute to the public category.
I don’t think anyone planned it so much, it’s more that Discourse has two basic modes: public and private. The setting to hide the leaderboard does exactly what it says, it hides the leaderboard. Why would it do something extra?
Feel free to write up an spec of what you want, but as it’s a very boring work to do and such a niche use case you would have more luck posting it to the marketplace if you want to see it anytime soon.
So, for now, it would seem sensible to spin up two instances if you value the complete privacy of a core group. Fair enough.
That said, it’s not like it’s exposing email addresses in any case.